commonground-api-common 1.13.0__py3-none-any.whl → 2.4.1__py3-none-any.whl

vng_api_common/authorizations/middleware.py

@@ -0,0 +1,244 @@
+import logging
+from typing import Any, Dict, Iterable, List, Optional
+
+from django.conf import settings
+from django.db import models, transaction
+from django.db.models import QuerySet
+from django.utils.translation import gettext as _
+
+import jwt
+from djangorestframework_camel_case.util import underscoreize
+from requests import RequestException
+from rest_framework.exceptions import PermissionDenied
+
+from vng_api_common.client import ClientError, to_internal_data
+from vng_api_common.constants import VertrouwelijkheidsAanduiding
+
+from ..models import JWTSecret
+from ..utils import get_uuid_from_path
+from .models import Applicatie, AuthorizationsConfig, Autorisatie
+from .serializers import ApplicatieUuidSerializer
+
+logger = logging.getLogger(__name__)
+
+
+class JWTAuth:
+    def __init__(self, encoded: Optional[str] = None):
+        self.encoded = encoded
+
+    @property
+    def applicaties(self) -> Iterable[Applicatie]:
+        if self.client_id is None:
+            return []
+
+        applicaties = self._get_auth()
+
+        if not applicaties:
+            auth_data = self._request_auth()
+            applicaties = self._save_auth(auth_data)
+
+        return applicaties
+
+    @property
+    def autorisaties(self) -> models.QuerySet:
+        """
+        Retrieve all authorizations relevant to this component.
+        """
+        app_ids = [app.id for app in self.applicaties]
+        config = AuthorizationsConfig.get_solo()
+        return Autorisatie.objects.filter(
+            applicatie_id__in=app_ids, component=config.component
+        )
+
+    def _request_auth(self) -> list:
+        client = AuthorizationsConfig.get_client()
+
+        if not client:
+            logger.warning("Authorization component can't be accessed")
+            return []
+
+        try:
+            response = client.get("applicaties", params={"clientIds": self.client_id})
+
+            data = to_internal_data(response)
+        except RequestException:
+            logger.warning("Authorization component can't be accessed")
+            return []
+        except ClientError as exc:
+            response = exc.args[0]
+            # friendly debug - hint at where the problem is located
+            if response["status"] == 403 and response["code"] == "not_authenticated":
+                detail = _(
+                    "Component could not authenticate against the AC - "
+                    "authorizations could not be retrieved"
+                )
+                raise PermissionDenied(detail=detail, code="not_authenticated_for_ac")
+            logger.warning("Authorization component can't be accessed")
+            return []
+
+        return underscoreize(data["results"])
+
+    def _get_auth(self):
+        return Applicatie.objects.filter(client_ids__contains=[self.client_id])
+
+    @transaction.atomic
+    def _save_auth(self, auth_data):
+        applicaties = []
+
+        for applicatie_data in auth_data:
+            applicatie_serializer = ApplicatieUuidSerializer(data=applicatie_data)
+            uuid = get_uuid_from_path(applicatie_data["url"])
+            applicatie_data["uuid"] = uuid
+            applicatie_serializer.is_valid()
+            applicaties.append(applicatie_serializer.save())
+
+        return applicaties
+
+    @property
+    def payload(self) -> Optional[Dict[str, Any]]:
+        if self.encoded is None:
+            return None
+
+        if not hasattr(self, "_payload"):
+            # decode the JWT and validate it
+
+            # jwt check
+            try:
+                payload = jwt.decode(
+                    self.encoded,
+                    algorithms=["HS256"],
+                    options={"verify_signature": False},
+                    leeway=settings.JWT_LEEWAY,
+                )
+            except jwt.DecodeError:
+                logger.info("Invalid JWT encountered")
+                raise PermissionDenied(
+                    _(
+                        "JWT could not be decoded. Possibly you made a copy-paste mistake."
+                    ),
+                    code="jwt-decode-error",
+                )
+
+            # get client_id
+            try:
+                client_id = payload["client_id"]
+            except KeyError:
+                raise PermissionDenied(
+                    "Client identifier is niet aanwezig in JWT",
+                    code="missing-client-identifier",
+                )
+
+            # find client_id in DB and retrieve its secret
+            try:
+                jwt_secret = JWTSecret.objects.exclude(secret="").get(
+                    identifier=client_id
+                )
+            except JWTSecret.DoesNotExist:
+                raise PermissionDenied(
+                    "Client identifier bestaat niet", code="invalid-client-identifier"
+                )
+            else:
+                key = jwt_secret.secret
+
+            # check signature of the token
+            try:
+                payload = jwt.decode(
+                    self.encoded,
+                    key,
+                    algorithms=["HS256"],
+                    leeway=settings.JWT_LEEWAY,
+                )
+            except jwt.InvalidSignatureError:
+                logger.exception("Invalid signature - possible payload tampering?")
+                raise PermissionDenied(
+                    "Client credentials zijn niet geldig", code="invalid-jwt-signature"
+                )
+
+            self._payload = payload
+
+        return self._payload
+
+    @property
+    def client_id(self) -> Optional[str]:
+        if not self.payload:
+            return None
+        return self.payload["client_id"]
+
+    def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
+        if value is None:
+            return base
+
+        order_provided = VertrouwelijkheidsAanduiding.get_choice_order(value)
+        order_case = VertrouwelijkheidsAanduiding.get_order_expression(
+            "max_vertrouwelijkheidaanduiding"
+        )
+
+        # In this case we are filtering Autorisatie model to look for auth which meets our needs.
+        # Therefore we're only considering authorizations here that have a max_vertrouwelijkheidaanduiding
+        # bigger or equal than what we're checking for the object.
+        # In cases when we are filtering data objects (Zaak, InformatieObject etc) it's the other way around
+
+        return base.annotate(max_vertr=order_case).filter(max_vertr__gte=order_provided)
+
+    def filter_default(self, base: QuerySet, name, value) -> QuerySet:
+        if value is None:
+            return base
+
+        return base.filter(**{name: value})
+
+    def has_auth(
+        self, scopes: List[str], component: Optional[str] = None, **fields
+    ) -> bool:
+        if scopes is None:
+            return False
+
+        scopes_provided = set()
+        config = AuthorizationsConfig.get_solo()
+        if component is None:
+            component = config.component
+
+        for applicatie in self.applicaties:
+            # allow everything
+            if applicatie.heeft_alle_autorisaties is True:
+                return True
+
+            autorisaties = applicatie.autorisaties.filter(component=component)
+
+            # filter on all additional components
+            for field_name, field_value in fields.items():
+                if hasattr(self, f"filter_{field_name}"):
+                    autorisaties = getattr(self, f"filter_{field_name}")(
+                        autorisaties, field_value
+                    )
+                else:
+                    autorisaties = self.filter_default(
+                        autorisaties, field_name, field_value
+                    )
+
+            for autorisatie in autorisaties:
+                scopes_provided.update(autorisatie.scopes)
+
+        return scopes.is_contained_in(list(scopes_provided))
+
+
+class AuthMiddleware:
+    header = "HTTP_AUTHORIZATION"
+    auth_type = "Bearer"
+
+    def __init__(self, get_response=None):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        self.extract_jwt_payload(request)
+        return self.get_response(request) if self.get_response else None
+
+    def extract_jwt_payload(self, request):
+        authorization = request.META.get(self.header, "")
+        prefix = f"{self.auth_type} "
+        if authorization.startswith(prefix):
+            # grab the actual token
+            encoded = authorization[len(prefix) :]
+        else:
+            encoded = None
+
+        request.jwt_auth = JWTAuth(encoded)

vng_api_common/authorizations/migrations/0016_remove_authorizationsconfig_api_root_and_more.py

@@ -0,0 +1,76 @@
+# Generated by Django 5.1.2 on 2024-10-25 14:07
+
+import logging
+
+import django.db.models.deletion
+from django.db import migrations, models
+from django.utils.text import slugify
+
+from zgw_consumers.constants import APITypes, AuthTypes
+
+logger = logging.getLogger(__name__)
+
+
+def migrate_authorization_config_to_service(apps, _) -> None:
+    AuthorizationsConfig = apps.get_model("authorizations", "AuthorizationsConfig")
+    Service = apps.get_model("zgw_consumers", "Service")
+
+    service_label = "Authorization API service"
+
+    config, _ = AuthorizationsConfig.objects.get_or_create()
+    service, created = Service.objects.get_or_create(
+        api_root=config.api_root,
+        defaults=dict(
+            label="Authorization API service",
+            slug=slugify(service_label),
+            api_type=APITypes.ac,
+            auth_type=AuthTypes.zgw,
+        ),
+    )
+    config.authorizations_api_service = service
+    config.save()
+
+    if created:
+        logger.info(f"Created new Service for {config.api_root}")
+    else:
+        logger.info(f"Existing service found for {config.api_root}")
+
+
+def migrate_authorization_config_to_config(apps, _) -> None:
+    AuthorizationsConfig = apps.get_model("authorizations", "AuthorizationsConfig")
+
+    config, _ = AuthorizationsConfig.objects.get_or_create()
+    if config.authorizations_api_service:
+        config.api_root = config.authorizations_api_service.api_root
+    config.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authorizations", "0015_auto_20220318_1608"),
+        ("zgw_consumers", "0022_set_default_service_slug"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="authorizationsconfig",
+            name="authorizations_api_service",
+            field=models.ForeignKey(
+                blank=True,
+                limit_choices_to={"api_type": "ac", "auth_type": "zgw"},
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                to="zgw_consumers.service",
+                verbose_name="autorisations api service",
+            ),
+        ),
+        migrations.RunPython(
+            migrate_authorization_config_to_service,
+            reverse_code=migrate_authorization_config_to_config,
+        ),
+        migrations.RemoveField(
+            model_name="authorizationsconfig",
+            name="api_root",
+        ),
+    ]

vng_api_common/authorizations/models.py

@@ -1,17 +1,28 @@
 import uuid
+from typing import Optional
 
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
+from solo.models import SingletonModel
+from zgw_consumers.constants import APITypes, AuthTypes
+
+from vng_api_common.client import Client, get_client
+
 from ..constants import ComponentTypes, VertrouwelijkheidsAanduiding
 from ..decorators import field_default
 from ..fields import VertrouwelijkheidsAanduidingField
-from ..models import APIMixin, ClientConfig
+from ..models import APIMixin
+
 
+class AuthorizationsConfigManager(models.Manager):
+    def get_queryset(self):
+        qs = super().get_queryset()
+        return qs.select_related("authorizations_api_service")
 
-@field_default("api_root", "https://autorisaties-api.vng.cloud/api/v1")
-class AuthorizationsConfig(ClientConfig):
+
+class AuthorizationsConfig(SingletonModel):
     component = models.CharField(
         _("component"),
         max_length=50,
@@ -19,9 +30,38 @@ class AuthorizationsConfig(ClientConfig):
         default=ComponentTypes.zrc,
     )
 
+    authorizations_api_service = models.ForeignKey(
+        "zgw_consumers.Service",
+        limit_choices_to=dict(
+            api_type=APITypes.ac,
+            auth_type=AuthTypes.zgw,
+        ),
+        verbose_name=_("autorisations api service"),
+        on_delete=models.SET_NULL,
+        blank=True,
+        null=True,
+    )
+
+    objects = AuthorizationsConfigManager()
+
     class Meta:
         verbose_name = _("Autorisatiecomponentconfiguratie")
 
+    @classmethod
+    def get_client(cls) -> Optional[Client]:
+        """
+        Construct a client, prepared with the required auth.
+        """
+        config = cls.get_solo()
+        if config.authorizations_api_service:
+            return get_client(config.authorizations_api_service.api_root)
+        return None
+
+
+class ApplicatieManager(models.Manager):
+    def get_by_natural_key(self, uuid):
+        return self.get(uuid=uuid)
+
 
 class Applicatie(APIMixin, models.Model):
     """
@@ -52,10 +92,20 @@ class Applicatie(APIMixin, models.Model):
         ),
     )
 
+    objects = ApplicatieManager()
+
+    def natural_key(self):
+        return (str(self.uuid),)
+
     def __str__(self):
         return f"Applicatie ({self.label})"
 
 
+class AutorisatieManager(models.Manager):
+    def get_by_natural_key(self, applicatie, component, scopes):
+        return self.get(applicatie=applicatie, component=component, scopes=scopes)
+
+
 class Autorisatie(APIMixin, models.Model):
     applicatie = models.ForeignKey(
         "Applicatie",
@@ -109,6 +159,15 @@ class Autorisatie(APIMixin, models.Model):
         blank=True,
     )
 
+    objects = AutorisatieManager()
+
+    def natural_key(self):
+        return (
+            self.applicatie,
+            self.component,
+            self.scopes,
+        )
+
     def satisfy_vertrouwelijkheid(self, vertrouwelijkheidaanduiding: str) -> bool:
         max_confid_level = VertrouwelijkheidsAanduiding.get_choice(
             self.max_vertrouwelijkheidaanduiding

vng_api_common/authorizations/utils.py

@@ -0,0 +1,17 @@
+def generate_jwt(client_id, secret, user_id, user_representation):
+    from zgw_consumers.client import ZGWAuth
+
+    class FakeService:
+        def __init__(self, **kwargs):
+            for key, value in kwargs.items():
+                setattr(self, key, value)
+
+    auth = ZGWAuth(
+        service=FakeService(  # type: ignore
+            client_id=client_id,
+            secret=secret,
+            user_id=user_id,
+            user_representation=user_representation,
+        )
+    )
+    return f"Bearer {auth._token}"

vng_api_common/client.py

@@ -1,44 +1,76 @@
 """
-Interface to get a zds_client object for a given URL.
+Interface to get a client object for a given URL.
 """
 
-from typing import Optional
+import logging
 
-from django.apps import apps
-from django.conf import settings
-from django.utils.module_loading import import_string
+from ape_pie import APIClient
+from requests import JSONDecodeError, RequestException, Response
 
-from zds_client import Client
+logger = logging.getLogger(__name__)
 
 
-def get_client(url: str, url_is_api_root=False) -> Optional[Client]:
-    """
-    Get a client instance for the given URL.
+class ClientError(RuntimeError):
+    pass
 
-    If the setting CUSTOM_CLIENT_FETCHER is defined, then this callable is invoked.
-    Otherwise we fall back on the default implementation.
 
-    If no suitable client is found, ``None`` is returned.
-    """
-    custom_client_fetcher = getattr(settings, "CUSTOM_CLIENT_FETCHER", None)
-    if custom_client_fetcher:
-        client_getter = import_string(custom_client_fetcher)
-        return client_getter(url)
+class NoServiceConfigured(RuntimeError):
+    pass
+
+
+# TODO: use more approriate method name
+def to_internal_data(response: Response) -> dict | list | None:
+    try:
+        response_json = response.json()
+    except JSONDecodeError:
+        logger.exception("Unable to parse json from response")
+        response_json = None
+
+    try:
+        response.raise_for_status()
+    except RequestException as exc:
+        if response.status_code >= 500:
+            raise
+        raise ClientError(response_json if response_json is not None else {}) from exc
+
+    return response_json
+
 
-    # default implementation
-    Client = import_string(settings.ZDS_CLIENT_CLASS)
+class Client(APIClient):
+    def request(
+        self, method: str | bytes, url: str | bytes, *args, **kwargs
+    ) -> Response:
 
-    if url_is_api_root and not url.endswith("/"):
-        url = f"{url}/"
+        headers = kwargs.pop("headers", {})
+        headers.setdefault("Accept", "application/json")
+        headers.setdefault("Content-Type", "application/json")
 
-    client = Client.from_url(url)
-    if client is None:
-        return None
+        kwargs["headers"] = headers
+
+        data = kwargs.get("data", {})
+
+        if data:
+            kwargs["json"] = data
+
+        return super().request(method, url, *args, **kwargs)
+
+
+def get_client(
+    url: str, raise_exceptions: bool = False, **client_kwargs
+) -> Client | None:
+    """
+    Get a client instance for the given URL.
+    If no suitable client is found, ``None`` is returned.
+    """
+    from zgw_consumers.client import build_client
+    from zgw_consumers.models import Service
 
-    APICredential = apps.get_model("vng_api_common", "APICredential")
+    service: Service | None = Service.get_service(url)
 
-    if url_is_api_root:
-        client.base_url = url
+    if not service:
+        logger.warning(f"No service configured for {url}")
+        if raise_exceptions:
+            raise NoServiceConfigured(f"{url} API should be added to Service model")
+        return
 
-    client.auth = APICredential.get_auth(url)
-    return client
+    return build_client(service, client_factory=Client, **client_kwargs)

vng_api_common/conf/api.py

@@ -1,10 +1,9 @@
 __all__ = [
     "API_VERSION",
     "BASE_REST_FRAMEWORK",
-    "BASE_SWAGGER_SETTINGS",
+    "BASE_SPECTACULAR_SETTINGS",
     "COMMON_SPEC",
     "LINK_FETCHER",
-    "ZDS_CLIENT_CLASS",
     "GEMMA_URL_TEMPLATE",
     "GEMMA_URL_COMPONENTTYPE",
     "GEMMA_URL_INFORMATIEMODEL",
@@ -13,43 +12,30 @@ __all__ = [
     "NOTIFICATIONS_KANAAL",
     "NOTIFICATIONS_DISABLED",
     "JWT_LEEWAY",
+    "SECURITY_DEFINITION_NAME",
     "COMMONGROUND_API_COMMON_GET_DOMAIN",
+    "JWT_SPECTACULAR_SETTINGS",
 ]
 
 API_VERSION = "1.0.0-rc1"  # semantic version
 
+SECURITY_DEFINITION_NAME = "JWT-Claims"
+
 BASE_REST_FRAMEWORK = {
+    "DEFAULT_SCHEMA_CLASS": "vng_api_common.schema.AutoSchema",
     "DEFAULT_RENDERER_CLASSES": (
         "djangorestframework_camel_case.render.CamelCaseJSONRenderer",
     ),
     "DEFAULT_PARSER_CLASSES": (
         "djangorestframework_camel_case.parser.CamelCaseJSONParser",
     ),
-    "DEFAULT_AUTHENTICATION_CLASSES": (
-        # 'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
-        # 'rest_framework.authentication.SessionAuthentication',
-        # 'rest_framework.authentication.BasicAuthentication'
-    ),
     # there is no authentication of 'end-users', only authorization (via JWT)
     # of applications
     "DEFAULT_AUTHENTICATION_CLASSES": (),
-    # 'DEFAULT_PERMISSION_CLASSES': (
-    #     'oauth2_provider.contrib.rest_framework.TokenHasReadWriteScope',
-    #     # 'rest_framework.permissions.IsAuthenticated',
-    #     # 'rest_framework.permissions.AllowAny',
-    # ),
     "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.URLPathVersioning",
-    #
-    # # Generic view behavior
-    # 'DEFAULT_PAGINATION_CLASS': 'ztc.api.utils.pagination.HALPagination',
-    "DEFAULT_FILTER_BACKENDS": (
-        "vng_api_common.filters.Backend",
-        # 'rest_framework.filters.SearchFilter',
-        # 'rest_framework.filters.OrderingFilter',
-    ),
+    "DEFAULT_FILTER_BACKENDS": ("vng_api_common.filters.Backend",),
     #
     # # Filtering
-    # 'SEARCH_PARAM': 'zoek',  # 'search',
     "ORDERING_PARAM": "ordering",  # 'ordering',
     #
     # Versioning
@@ -61,41 +47,40 @@ BASE_REST_FRAMEWORK = {
     "EXCEPTION_HANDLER": "vng_api_common.views.exception_handler",
     "TEST_REQUEST_DEFAULT_FORMAT": "json",
 }
-
-BASE_SWAGGER_SETTINGS = {
+BASE_SPECTACULAR_SETTINGS = {
     "DEFAULT_GENERATOR_CLASS": "vng_api_common.generators.OpenAPISchemaGenerator",
-    "DEFAULT_AUTO_SCHEMA_CLASS": "vng_api_common.inspectors.view.AutoSchema",
-    "DEFAULT_INFO": "must.be.overridden",
-    "DEFAULT_FIELD_INSPECTORS": (
-        # GeometryFieldInspector has external dependencies, and is opt-in
-        # 'vng_api_common.inspectors.geojson.GeometryFieldInspector',
-        "vng_api_common.inspectors.fields.HyperlinkedIdentityFieldInspector",
-        "vng_api_common.inspectors.fields.ReadOnlyFieldInspector",
-        "vng_api_common.inspectors.polymorphic.PolymorphicSerializerInspector",
-        "vng_api_common.inspectors.fields.GegevensGroepInspector",
-        "drf_yasg.inspectors.CamelCaseJSONFilter",
-        "drf_yasg.inspectors.RecursiveFieldInspector",
-        "drf_yasg.inspectors.ReferencingSerializerInspector",
-        "drf_yasg.inspectors.ChoiceFieldInspector",
-        "drf_yasg.inspectors.FileFieldInspector",
-        "drf_yasg.inspectors.DictFieldInspector",
-        "drf_yasg.inspectors.JSONFieldInspector",
-        "drf_yasg.inspectors.HiddenFieldInspector",
-        "drf_yasg.inspectors.RelatedFieldInspector",
-        "drf_yasg.inspectors.SerializerMethodFieldInspector",
-        "drf_yasg.inspectors.SimpleFieldInspector",
-        "drf_yasg.inspectors.StringDefaultFieldInspector",
-    ),
-    "DEFAULT_FILTER_INSPECTORS": ("vng_api_common.inspectors.query.FilterInspector",),
+    "SERVE_INCLUDE_SCHEMA": False,
+    "POSTPROCESSING_HOOKS": [
+        "drf_spectacular.hooks.postprocess_schema_enums",
+        "drf_spectacular.contrib.djangorestframework_camel_case.camelize_serializer_fields",
+    ],
+    "SCHEMA_PATH_PREFIX": "/api/v1",
+}
+
+# add to SPECTACULAR_SETTINGS if you are using the AuthMiddleware
+JWT_SPECTACULAR_SETTINGS = {
+    "APPEND_COMPONENTS": {
+        "securitySchemes": {
+            SECURITY_DEFINITION_NAME: {
+                "type": "http",
+                "bearerFormat": "JWT",
+                "scheme": "bearer",
+            }
+        },
+    },
+    "SECURITY": [
+        {
+            SECURITY_DEFINITION_NAME: [],
+        }
+    ],
 }
 
+
 REDOC_SETTINGS = {"EXPAND_RESPONSES": "200,201", "SPEC_URL": "openapi.json"}
 
 # See: https://github.com/Rebilly/ReDoc#redoc-options-object
 LINK_FETCHER = "requests.get"
 
-ZDS_CLIENT_CLASS = "zds_client.Client"
-
 GEMMA_URL_TEMPLATE = "https://www.gemmaonline.nl/index.php/{informatiemodel}_{versie}/doc/{componenttype}/{component}"
 GEMMA_URL_COMPONENTTYPE = "objecttype"
 GEMMA_URL_INFORMATIEMODEL = "Rgbz"